Just days after President Biden called President Vladimir V. Putin of Russia and demanded that he act to shut down ransomware groups that are attacking American targets, the most aggressive of the groups suddenly went off-line early Tuesday morning, terminating negotiations over ransom payments and even bringing down the page where it boasted about its most successful extortion schemes.
The mystery is who made that happen.
The group, called REvil, short for “Ransomware evil,” has been identified by U.S. intelligence agencies as responsible for the attack that brought down one of America’s largest beef producers, JBS. Two weeks after Mr. Biden and Mr. Putin met in Geneva last month, REvil took credit for a hack that affected thousands of businesses around the world over the July 4 holiday.
That latest attack led to Mr. Biden’s ultimatum in a phone call on Friday to the Russian president. Later, Mr. Biden said “we expect them to act,” and when asked by a reporter later if he would take down the group’s servers if Mr. Putin did not, the president simply said, “Yes.”
He may have done exactly that. But that is only one possible explanation for what happened around 1 a.m. Eastern time on Tuesday, when the group’s sites on the dark web suddenly disappeared. Gone was the publicly available “happy blog’’ that the group maintained, listing its victims, and internet security groups said the custom-made sites where victims negotiate with REvil over how much they will pay to get their data unlocked were also missing.
While their disappearance was celebrated by many who see ransomware as a new scourge, one that Mr. Biden has called a critical national security threat, it left some of the group’s targets in the lurch — unable to pay the ransom to get their data back and their businesses back up and running.
“What’s the plan for the victims?” asked Kurtis Minder, the chief executive of Groupsense, a digital risk protection company that was negotiating with the extortionists on behalf of a regional law firm whose data was stolen.
There were three main theories floating around about why REvil, which seemed to revel in the publicity and reaped huge ransoms — including $11 million from JBS — suddenly disappeared.
One is that Mr. Biden ordered the United States Cyber Command, working with domestic law enforcement agencies, including the F.B.I., to bring the group’s sites down. Cyber Command proved last year that it could do just that, paralyzing a ransomware group that it feared might turn its skills to freezing up voter registrations or other election data in the 2020 election.
The second theory is that Mr. Putin ordered the group’s sites taken down. If so, that would be a gesture toward heeding Mr. Biden’s warning, which he offered, in more general terms, when the two leaders met on June 16 in Geneva.
And a third is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming caught in the crossfire between the American and Russian presidents. That is what another Russian-based group, Darkside, did after the ransomware attack on Colonial Pipeline, the U.S. company that had to shut down the gasoline and jet fuel running up the East Coast in May.
But many experts think that Darkside’s going-out-of-business move was digital theater, and that all of the key ransomware talent would reassemble under a different name. If so, the same could happen with REvil.
Just a few months ago, ransomware was considered largely a criminal problem. But after the attack on Colonial Pipeline, Mr. Biden and his advisers began to declare that attacks that threaten critical infrastructure constitute a major national security threat.